Encrypting Degoo Cloud Drive With Cryptomator

In this article in my series of “Encrypt All The Things!”, I’ll show you the specifics of encrypting a cloud drive using the Degoo.com cloud drive service. For a generic overview, that’s not Degoo specific, see:

If you use cloud drive services, of any kind, it’s critical that you do so ONLY with data that YOU have encrypted on YOUR END and that YOU are in control of the keys. Any service that handles the keys for you is NOT SECURE! The ONLY way your own data is secure is if YOU are in control of the keys. Some cloud drive services offer encryption at an extra price, which is crazy because you can do it FOR FREE with the added benefit of YOU being in control, NOT THEM!

The best way to ensure that you’re in control is for you to do the encryption yourself with software NOT provided by your cloud drive service.

In this article, I’ll show exactly how to do this with a commercial cloud drive service called Degoo.com and a free and open source encryption application called Cryptomator.

Create a Degoo account and install the software

First, you’ll need to sign up for the Degoo.com cloud drive service here.

100 GB Free Backup

Be sure to download and install the software. Don’t set up the download or sync folders yet. We need to get the encryption app installed first. BTW, Degoo has both free and paid options.

Install the Encryption App

Go to Cryptomator.org and download and install the software (It’s free and open source!). Once installed, you’ll need to setup one or more “vaults”, which are simply nothing more than a folder on your hard drive where encrypted files will be stored.

Set up a Cryptomator vault

First, you need to understand how Cryptomator works. DO NOT SKIP THIS!

The first time you run it, you will not have any vaults (encrypted folders). First, create a new folder on your drive in whatever way suits you best. This is where you’re going to have encrypted versions of your sync files stored.

  1. Click the “+” sign in the lower left and choose “Create New Vault” to create a vault.
  2. Navigate to the folder you want to store your encrypted files (the folder should be blank, right now) and give it a name, here I Cryptomator.
  3. Then create a password for it. DO NOT FORGET THE PASSWORD OR YOUR DATA WILL BE LOST FOREVER!!!!!
    1. I Highly recommend saving it in a password manager like LastPass.com. I also recommend using that password manager’s password generator to generate a long, random password for you.
  4. Create the Vault by clicking the “Create Vault” button. This stores a couple of small files in there that cryptomator needs.
    You’ll be prompted for the password again. This is not part of the vault creation process. You’re done. Now you’re ready to use it like you will everyday. Now you unlock the vault by entering your password.
  5. Click the “more options” button to see what you have available. Those options are pretty self-explanatory. I’ll skip those and let you choose how you want to configure it.

Your vault is now unlocked and is opened in a Windows Explorer window, usually as drive letter Z:.

The real folder on the real drive is here (below) (depending on where YOU chose to create it… this one is mine):

Now, I can store files in my Z: drive (as long as my vault is unlocked) and I can use any apps I want to read and write to the Z: drive. Everything works normally. Apps that read and write there have NO IDEA that they’re reading and writing to an encrypted folder.

You’ll notice that in Documents\deleteme\test (again, that’s where I created mine; yours will be where ever you put yours), you’ll see a “d” folder and 2 masterkey files. Those masterkey files have an ENCRYPTED version of your key. No one can decrypt it without knowing YOUR password that you just created.  This masterkey file WILL BE ON THE REMOTE SERVER, so this is why you need a STRONG password, preferably random characters generated by a password manager.

As you save more files into your Z: drive, you’ll see more files show up somewhere under Documents\deleteme\test (again, MY folder is here, YOURS is where ever you put yours). The files that show up here have unreadable filenames and if you try to open them, they will have what appears to be garbage in them. These are the files you stored in your Z: drive, but these are encrypted.

Think of your Cryptomator unlocked vault Z: drive as a decrypted, magic window into your physical, encrypted files stored in their encrypted state in your Documents\deleteme\test (again, MY folder name I chose, YOURS will be different).

One caveate: Files in your Z-Drive CANNOT be larger than 2GB! That’s a limitation with the current version of Cryptomator.

I created a text file in my new Z: drive. As you can see below, Cryptomator created a file in the Documents\deleteme\test\d\WQ folder with a funky name. That’s what’s REALLY stored on my REAL hard drive. If I try to open the funky named file, it looks like garbage bytes. Both of those windows are showing the SAME data, it’s just that the REAL data is encrypted (top window). The bottom window is a VIRTUAL drive with an decrypted view of the data. ALWAYS remember this! You will NOT back up your Z drive! EVER! You’ll back up and/or sync your Documents\deleteme\test folder. More on that later.

Now, how to sync your encrypted files with Degoo.com

Now that you have a folder that contains your encrypted files and an easy way to use the the encrypted files (your cryptomator Z-drive), you need to sync the encrypted files to your Degoo.com account. DO NOT SYNC OR BACK UP YOUR Z: DRIVE!!!!!!

  • If you haven’t already, download and install the software on Degoo.com and create an account.
  • When you open it, click on the “Choose what to backup” tab. The actual folders on disk that are being backed up are each in their own cryptomator vault folder with encrypted files.
  • Click the “Add folder to backup…” button and navigate to your Cryptomator vault folder… the one with the unreadable encrypted files NOT YOUR Z-DRIVE!!!! and click “Add folder to backup”
  • Your folder will be added to your list of folders to be backed up.

Now, you’re all set. Anything you put into your Z-Drive is automatically encrypted at the time it’s written and since the real folder with the encrypted files is the one that’s backed up, you automatically get your data backed up in addition to automatically encrypted. Now, no matter how malicious anyone at Degoo may be (I have to reason to believe the are (or aren’t)), your privacy is safe. They cannot see anything other than what you see when looking at the encrypted version of your folder. Unless they have your password to your vault (which, of course, should be DIFFERENT from your Degoo password), they’ll never be able to see the contents.

But that was hard!

No it wasn’t! And, the small amount of work you did above is only done when creating a new vault and installing everything for the first time. Once it’s done, here’s all you need to do moving forward:

  • Turn on your PC and log into Windows (or Mac or Linux)
  • Start Cryptomator and unlock your vault.

That’s it! You can even shorten that to not have to start cryptomator setting up your vault to save your password and auto-unlock on start.

You can also add more cryptomator vaults at any time.

Quick review:

In this tutorial you did the following simple steps:

  • Signed up with and installed Degoo.
  • Downloaded and installed Cryptomator.
  • Created a vault with Cryptomator.
  • Told Degoo to sync the encrypted version of your cryptomator vault.

That’s really all you did. And now, you’re protected both with encryption and with an automatic, encrypted backup.

What’s Next?

Just continue to use your computer with your Z-Drive as your unencrypted version of your data. You can even lock your vault and Degoo will continue to back up your data. Degoo doesn’t need you to have it unlocked because it’s NOT backing up the unencrypted files. It’s only backing up the encrypted bits.  Degoo isn’t even aware of the Cryptomator software.  From Degoo’s software’s point of view, all that matters is that folder with the encrypted files in it.

Conversely, the Cryptomator software is unaware of Degoo.  All Cryptomator knows is that you have a folder with encrypted files and it provides the means to unlock and use them.

You can create more vaults with Cryptomator, if you like and add them to Degoo as well.

You can create vaults inside your Google Drive sync folder, your Microsoft One-Drive sync folder, your DropBox sync folder, etc, etc… As many or as few as you want.  Cryptomator works by encrypting any folder and providing an unencrypted view of it.  Cloud drives work by backing up and/or syncing a folder.  Put the two of them together and you’ve got a robust and secure backup strategy.

I do strongly recommend you make a cryptomator vault in EVERY cloud drive sync folder and move all your non-encrypted files INTO your virtual drive letter created for that vault.

WARNINGS!

You MUST obey the following rules!!!

  • Don’t write files directly into your real folder that contains the encrypted files. If you do that, it will be backed up AS-IS… WITHOUT ENCRYPTION!
  • Do NOT backup your Z: drive (or whatever drive letter cryptomator makes for you). That is DECRYTPED and if you back THAT up, you’ve wasted all your time and effort and are NOT storing an encrypted version of your files. Your Z: drive should ONLY be used for your normal work. DO NOT BACK IT UP!!!!

You are, of course, free to break these rules, but your secure backup is not going to be encrypted if you do break them.

How I Protect Myself Against Ransomware

Ransomware

What is RansomWare?

Ransomware is probably the worst kind of malware you can get infected with.  After it gets into your system, it secretly encrypts all your disk drives in the background.  Once it’s done, it notifies you that all your files are encrypted and locked and demands an exorbitant amount of money to be transferred to the thieves (usually via BitCoin) in order to receive the decryption key and sometimes they take your money and never give you the key.  The longer you wait, the higher the ransom, until after about 3 days, they delete your key and your files are gone forever.

Things that do NOT work:

  • Encrypting your hard drive.  While it’s good practice to encrypt your hard drive, this does absolutely NOTHING to protect against Ransomware.  It may protect you from external people snooping your data, but if ransomware gets installed on your machine, it has access to your drive while it’s unencrypted, and can then encrypt it with its own keys.
  • Backups created using the same PC.  Why would having a backup NOT work against ransomware?  Because again, the ransomware can see and write to your backup drive if it’s accessible from your same PC and it will encrypt that too!

How I’m protecting myself against Ransomware

  • I have 2 drives on my main PC:  A boot drive that contains Windows and the installed applications, and an external, high capacity hard drive where ALL my data goes, INCLUDING my Windows Desktop, and all the special windows folders like desktop, documents, pictures, videos, downloads, etc…
  • My boot drive and my external drive are both encrypted (not really a help against Ransomware… just thought I’d mention that they’re encrypted).
  • I have a second drive of equal capacity as my data drive and it’s hooked up to an older Linux laptop.
  • On host, Windows PC, I created a user account named “Backup” (could be named anything) with read only access to my main data drive on my Windows PC.
  • On Linux, I used Veracrypt to encrypt my backup drive that’s connected to it (doesn’t really help against Ransomware, but again, just thought I’d mention it.)
  • Running a scheduled backup program on the Linux laptop (Lucky-backup… a GUI for rsync), connecting to my Windows PC over the network with the Windows “Backup” user account. It backs up all of my Windows external data drive to the Linux, encrypted backup drive and runs a differential backup every night.
  • Critically, the Windows PC has no direct access to the Linux backup drive.
  • My Linux laptop boots off a Linux flash thumb drive and does NOTHING but backup.

How does this protect me?

By using 2 different PC’s, the chances of BOTH of them being infected with ransomware at the same time is very small. By using 2 different operating systems, the chances of both being infected at the same time is drastically reduced.  While Linux is NOT virus free and is NOT ransomware free, it’s significantly more resilient and will NOT be infected by a Windows ransomware infection.  If, by chance, the Linux machine gets infected with Ransomware, it has only read only access to my data drive on my Windows PC and will not be able to encrypt it.  In either case, I have my full data on the other machine.

What happens if my Windows machine gets Ransomware?

I’ll reformat all of my Windows drives by booting off a clean flash thumb drive that has Windows installation media.  Then I’ll have to manually re-install my software, which will be a pain, but I have access to all of it.  Then I’ll need to restore my data to my data drive from my clean Linux backup.

What happens if my Linux machine gets Ransomware?

I’ll reformat all my Linux drives by booting off a clean flash thumb drive and then re-set up my backup system.  My Windows machine at that time should be clean.

Why doesn’t Encrypting my drives help me?

Encrypting your drives DOES  help protect you against adversaries trying to gain access to your data, but it does NOT help protect you against ransomware, which simply wants to DESTROY your data.  The reason is because ransomware runs after you’ve booted into Windows and Windows has decrypted access to your encrypted drives.  That means the ransomware has access to your encrypted drives too and can simply double-encrypt your data.

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Encrypting the Non-Encrypted Cloud Drive Services

EncryptedCloudDrive

In this article in my series of “Encrypt All The Things!”, I’ll show how to fully encrypt your files on popular cloud drive services that do not support zero knowledge encryption.  Such services that do NOT support zero knowledge encryption are:

  • Google Drive
  • Microsoft OneDrive
  • DropBox
  • Box.Net
  • Amazon Cloud Drive

That is obviously not a comprehensive list.  Some that DO support zero knowledge encryption:

  • Mega
  • Spider Oak

That is also not a comprehensive list.  The problem with Mega is that it’s closed source, so you can’t confirm that everything’s on the up and up.  In fact, Kim Dot Com, the creator of Mega, was/is wanted by the United States government for hosting pirated material.  That’s why he created Mega, so he’d have zero ability to decrypt the data, which was a great big middle finger to the U.S. government.  He’s since left the company and now claims it can’t be trusted, but we don’t know if that’s just sour grapes from him, or if there’s a legitimate reason for him to say that.  At any rate, it’s closed source, so there’s no way to confirm.

Spider Oak is also closed source AND it costs money.  It’s not a free service.

But, there are plenty of free cloud drive services (listed above at the top of this article), but none of them support zero knowledge encryption.  But, there’s now a fairly easy way to encrypt those.

Download and install the free, open source software called Cryptomator.  You can get it here:

https://cryptomator.org/

As of this writing, they only have a Linux, Windows, and Mac version, but they are actively working on Android and iOS versions.

How it works

Once you install CryptoMator on your PC, you configure it to access each of your cloud drive services.  At the time of this writing, Cryptomator supports 4 of the popular cloud drive services.

  • Google Drive
  • Microsoft OneDrive
  • DropBox
  • (I can’t find information on the 4th one)

But, it should work with any cloud drive as long as you have a synced folder on your PC to that cloud drive service.  It doesn’t have to directly support your cloud drive service AS LONG AS your cloud drive software provides a local sync folder that other apps on your PC can access.

Below, I give general instructions.  The exact steps are clearly outlined in the CryptoMator documentation.  This will give you the basic idea of what you’re trying to accomplish…

Once installed, you add a “vault” to Cryptomator, create a password, and point CryptoMator to your local sync folder.  It will then create a virtual drive (using an unused drive letter) and store some encrypted files in your local sync folder.

Now, with your new drive letter, just put any files you want encrypted into there and NOT directly in your local sync folder.  If you put anything directly in your local sync folder IT WILL NOT BE ENCRYPTED!!!!  If you put files in your virtual drive that CrytpMator created for you and gave it a drive they, those files will appear as unencrypted to you as long as you have the “vault” unlocked with CryptoMator.  The actual encrypted bytes of the files are stored in the local sync folder associated with your cloud drive service.  If you open the sync folder, you’ll see meaningless file names and meaningless folder names with encrypted files in them.  That’s the encrypted data.  To have an unencrypted window into that encrypted data, simply open the new drive letter that CryptoMator created for you when you unlocked the vault with your password.

Since the encrypted bits are stored in your sync folder, they get synchronized with your cloud server and it’s those encrypted bits that are stored on the cloud drive servers.

Once you get that working, it’s a good idea to drag and drop all your previously existing NON ENCRYPTED files and folders from your local sync folder into your vault virtual drive.  Once you’ve confirmed they’re in the vault, BACK UP YOUR FILES, then you can safely delete them from your sync folder, which will delete the unencrypted files from your remote cloud drive, leaving only the encrypted bits.  Cryptomator will automatically encrypt them and store the encrypted bits back into your local sync folder, which your cloud drive software will then upload to your cloud drive service.

Caveats

  • Errors with large folders: I have about 64GB in my Microsoft One Drive.  When I tried moving my camera roll folder into my Cryptomator virtual drive associated with OneDrive, it kept failing.  I presume it wasn’t designed for folders with that many files or that many bytes.  After many days of effort, I finally did get it working.  I do not know if it was a OneDrive problem or a Cryptomator problem.  I had no issues encrypting my Google Drive nor my DropBox, but neither of them had as much data.
  • No Mobile (yet): Right now, there’s no mobile access to your encrypted data.  They’re actively working on both Android and iOS apps, so that may change by the time you see this.
  • No browser access: Since the web interfaces of these cloud services simply show you the files as they are on their services, after you encrypt your files and folders, when viewing them with a web browser on those services, you’ll only see the encrypted data.  This makes sense because the cloud drive services are unaware of the encryption switch-aroo you’ve done.  Don’t expect this to change.
  • Your Key: With zero knowledge encryption, you keep your key locally, but Cryptomator stores your key ON your remote cloud drive.  Don’t fret too much though.  It’s encrypted with your password that you made when you created your vault.  Technically, your password is your key.  In my judgment, it’s fairly safe.  Though, I wouldn’t be storing my archives of my classified State Department e-mail on any of these public cloud drives, even with Cryptomator. Winking smile
  • Meta data: The contents of your files are encrypted as well as the file and folder names, but the timestamps are NOT encrypted and neither are the number of files, the number of folders, nor the sizes of the files.  The timestamps are left as is in order for your cloud drive software (OneDrive, Google Drive, DropBox, etc…) to know when things have changed so it can sync properly.  The file sizes are a result of how many bytes you’re encrypting.  The number of encrypted files will be roughly equal to the number of files as they were before they were encrypted (but the contents will be fully encrypted).  This too is a side effect of how the syncing works.
  • Mobile still unencrypted: You should probably turn off or uninstall the cloud drive software on your mobile devices because you won’t be able to see anything but encrypted data.  Also, any files you have locally on your mobile device that you have set to sync will be uploaded UNENCRYPTED.  Then you’ll have a mix of both encrypted and unencrypted files on your cloud drive.  Remember, CryptoMator is actively working on Android and iOS apps.  When they’re available, you can install those and follow Cryptomator’s recommendations on what to do with your cloud drive provider software.

Use this information about the caveats

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Mobile: Encrypting All Internet Traffic

This is one of many articles in a series I’m writing to cover end-to-end encryption for everything…

Encrypt All The Things! [A Guide]

you do in your digital life.  I’ll cover encrypting specific types of …internet traffic (like E-Mail, Web sites, etc…) in other articles.

For a primer on encryption, please read my article “Understanding Encryption”…

Understanding Encryption

…as it teaches VERY IMPORTANT concepts that you need to know before moving forward here.

This works for rooted AND unrooted phones.

Big Disclaimer

Before going any further, let’s make one thing perfectly clear on THIS particular encryption.  This does NOT make all your internet traffic encrypted from your phone all the way to the final destination!

So… What does it do then?

This will encrypt your connection from your phone through and past your ISP.  It protects you from your ISP and anyone snooping on  your local end of the network.  This is great for when you need to use public wifi.  Scammers running a free wifi node will NOT be able to see your data NOR will they know where on the internet you’re going.

So… What does it NOT do?

Excellent question!  Let’s say you’re browsing a website that’s NOT encrypted (like this page you’re on right now)… Under normal circumstances, anyone snooping your network traffic ANYWHERE on the internet… from your local connection all the way to the connection on my end at my website, can see:

  • Your IP address.
  • The URL you’re wanting to visit.
  • Anything you type on my search page.
  • The contents of the pages my website sends back to you.
  • In short, everything is visible and in the clear.

Using the techniques in this article, you’ll be on an encrypted connection from your phone, through and past your ISP to some random computer on the TOR network, to a couple MORE computers on the TOR network, till your connection finally exits the TOR network and gets back on the regular internet, possibly in another country.  From THERE, your connection from THAT computer to my website is entirely unencrypted.

So… Why use TOR then?

To hide your network activity from your ISP, your cell phone provider network, your employer’s wifi, your local government(s) (including the NSA and GCHQ (the British NSA)), and anyone else snooping on the network near your end of the connection.  It will also hide your IP address from the websites you’re visiting.  You can make yourself appear to be in just about any country you choose.

Will this guarantee no one can see what I’m doing online?

LOL!  You’re cute when you’re innocent.  Of course not.  NOTHING is 100% safe on the internet, but it’s pretty darn strong protection and causes even the NSA headaches.  Someone with lots of resources would have to be specifically targeting you and it would be very difficult for them, even then.  You’re reasonably safe even against the NSA, but not totally.

What does it encrypt?

Note that this is a method to obfuscate ALL your internet traffic from your Android device, not just web browsing, but everything, including traffic to and from the Google Play Store, Google searches, game communication.  Again, it will NOT encrypt an unencypted connection.  It will encrypt all steps of the connection up to the exit node (see “How does it work?” below).

How does it work?

There are thousands of computers all around the world volunteering to be part of the TOR (The Onion Router) network.  When you connect to the TOR network, you’re randomly choosing an entry node computer somewhere in the world.  That computer then forwards your traffic to another, randomly chosen computer somewhere else in the world, which then forwards you to yet another computer on TOR somewhere else in the world, which then forwards you to a randomly selected TOR “exit node” computer… a computer on TOR whose purpose is to act as a fake YOU to the sites you visit.  It’s THAT computer’s IP address that your sites will see.

All traffic between you and all the TOR computers that your traffic passes through is encrypted.  The TOR computers do not know of your entire connection path through all the TOR computers you’re connecting through.  ONLY your own device knows that.  This is to prevent malicious adversaries from trying to reverse trace where you are.

Doesn’t this slow my connection down?

You betcha!  Yes.  Yes it does.  You do NOT want to do this for a first person shooter game.  YOU WILL LOSE!

Step by step instructions (FINALLY!)

If you’re device is NOT rooted, you’re going to change your Proxy address to “localhost” and your port to 8118 after you download and install Orbot. Below the installation steps are steps on doing that below:

  1. Download the app “Orbot” from the Google Play store.Screenshot_20160404-165041
  2. Optionally, you may want to ALSO install “Orfox”, a browser made to work on the TOR network.  It’s a modified version of the FireFox browser.  It works in tandem with Orbot.  But any browser will work.
    1. Screenshot_20160404-165051
  3. Launch the Orbot app.
    1. Screenshot_20160404-165126
  4. Long press on the screen to start Orbot.
    1. Screenshot_20160404-165118
  5. If you want to appear to be from a specific country, tap the drop down control in the bottom right of the screen and choose your desired country.
    1. Screenshot_20160404-165145
  6. If your device is rooted, skip the following steps about configuring your wifi connection and go directly to step #11.
  7. If your device is NOT rooted, it requires a little more work.  Steps 7-9 will need to be completed every time you connect to TOR.  Go to Settings->Wifi and long press on your wifi connection that you’re connected to and select “Manage network settings”.Screenshot_20160404-165310 BLURRED
  8. Now check the box “Show advanced options”
    1. Screenshot_20160404-165317 BLURRED
  9. Change your Proxy to “Manual”.
    1. Screenshot_20160404-165332 BLURRED
  10. Change your Proxy Host Name to localhost and your Proxy port to 8118 and tap “SAVE”.
    1. Screenshot_20160404-165404 BLURRED
  11. If everything worked (and it doesn’t always), you should have a secure connection on the TOR network now.  Open OrBot and click the “Browser” button on the lower left.Screenshot_20160404-165118
  12. If you have OrFox installed, it should open OrFox and load a page that tests.  It will tell you if you’re on a safe Tor connection.  If you don’t have OrFox installed, it’ll launch your default browser and do the same thing.  Here are 2 screenshots, one of OrFox and one of Chrome:

Screenshot_20160404-165205Screenshot_20160404-165422

If it didn’t work, you’ll see a page like this:

Screenshot_20160404-165246 BLURRED

If you see the “sorry” page, launch Orbot, then open its menu and choose “Exit”, then go to step #3 and try again.  There’s no guarantee that this will work all the time.  Some days it works.  Some days it doesn’t.

image

How to end TOR and go back to NORMAL networking

  1. Open the Orbot app, long press, and Orbot will end the TOR connection.  The onion icon will become gray.
  2. Open the menu in the Orbot app and choose “Exit”.
  3. Fix your wifi proxy back… Settings->Wifi.
  4. Long press your wifi network and choose “Manage network settings.
  5. Click the check box “Show advanced options”.
  6. Change “Proxy” back to “None”.
  7. Tap save.

You should now have a normal network connection again.  As a last resort, simply reboot your device if networking fails to restore to normal.

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Encrypt Your Entire Non Boot Disk

This is another entry in my list of articles on encrypting your entire digital life…

Encrypt All The Things! [A Guide]

…from end to end.  Click here for the lead article.  This article is about encrypting your entire NON boot disk on your server, desktop, or laptop computer.  These instructions are DIFFERENT from encrypting your boot disk, which you can find here.  I’ll be giving specific instructions for Windows, but Mac & Linux steps are similar.   These instructions are using free, open source software that’s NOT from Microsoft.

Short (VERY short version)
    1. Install encryption software.
    2. Backup the drive (no, seriously!  DO THIS!)
    3. Select an empty drive letter.
    4. Select device.
    5. Encrypt.

The rest of this shows you the details of those steps.

Let’s begin
  1. Download and Install VeraCrypt fromhttps://veracrypt.codeplex.com/releases/view/616110
  2. Select an available drive letter (your encrypted volume will have this drive letter, NOT the original drive letter).
  3. Click the “Select Device” button and choose your drive to be encrypted.  (3 lines for each drive show up.  Choose the line that contains your drive’s current drive letter).
  4. From the “System” menu, choose “Encrypt System Partition/Drive”.
    1. image
  5. Follow the directions in the software.

DO NOT FORGET YOUR PASSPHRASE!!!!!

After that, you’re all done.  Now, every time you reboot, if you want to open your encrypted drive, you’ll need to mount it with VeraCrypt.  SO DON’T YOU DARE FORGET YOUR PASSWORD!  Seriously!  If you forget your passphrase, there’s NO WAY to recover it.  That’s it.  It’s done.  The data on your non boot drive will be gone forever.  You’ll have to reformat your drive and start all over OR pull out the drive and set it aside, hoping you’ll remember your passphrase some day.  I cannot stress this enough.  You CANNOT forget your passphrase!  I recommend storing a HINT of your passphrase in an ENCRYPTED password management tool, like LastPass.  I use the “secure notes” feature to store mine.

Your drive is now much more secure.

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Creating an encrypted, virtual disk

image

This is the fourth post in my “Encrypt All The Things!” series.

Encrypt All The Things! [A Guide]

The prior article was on encrypting a single file.

Encrypt Individual Files (Desktop)

In an effort to increase my privacy and my family’s safety, I’m going through and encrypting everything that’s possible and writing a series of articles on end-to-end encrypting for everything from phone calls to hard drives.

  • Click here to follow me on Google+.
  • Click here to follow me on Minds.com

    What you’ll need

      • Encryption software (described below, with links – It’s FREE)
      • A Windows, Mac, or Linux PC.

    Software

    TrueCrypt was one of the most popular disk encrypting programs for a long time, until about a year ago when the author unexpectedly pulled the plug and put some strange text on his website that the program was unsecure and people need to go find something else.  The whole tech industry was scratching their heads because it had just gone through a very public security audit and determined to be very secure.  What happened was the author(s) just got tired of supporting it and called it quits.  Fortunately, it was open source and other groups have taken over, forked the code, and have been improving on it.  VeraCrypt is a popular fork of it that I recommend.  You can download it here.  It’s available for Windows, Mac, & Linux.  And it’s fully open source and free and supported by its new authors.

    Download and install VeraCrypt.

    Virtual Disks

    We’ll be making a virtual disk that’s encrypted.  A virtual disk is simply a large file.  VeraCrypt can do its magic and make Windows/Mac/Linux think it’s a disk, so you can read and write files in it, just like on any other hard drive.  In Windows, the virtual disk will have its own drive letter (but only when you “mount” it… when you’re done with it, you “dismount” it and it stops looking like a disk to the OS).

    image

    • Click the “Create Volume” button to begin.

    image

    • Make sure “Create an encrypted file container” is selected, then click “Next”.
    • Select “Standard VeraCrypt volume” and click next.  I’ll let you discover the other features of this product outside the scope of this tutorial.
    • For “Volume Location”, click the “Select File…” button and choose a place on one of your accessible hard drives or network drives.  You’ll need to provide a file name.  I recommend giving it an ambiguous name like “Graphics-System.dll”.  This obscures the meaning of the file from intruders.
    • image
    • Then click “Save”.  Also, make sure “Never save history” is checked.  This prevents intruders from running this app on your machine and seeing where you created your last encrypted virtual disk.

    image

    • Click “Next” and if you named it with a file extension of “.dll”, then you’ll get a warning.  It’s OK.  We’re doing this on purpose.
    • Now, choose your encryption method.  All of them are good.  Better is using 2 or more of them simultaneously.

    image

      • Remember, the tougher the encryption, the slower the encrypting and decrypting.  I recommend clicking the “Benchmark” button and choosing the one that gives you the fastest speeds, unless you have state secrets or secrets that can cause significant harm to you or others, then take one of the options that give you all three.  Notice that you might notice one of them is significantly faster than the others.  If so, then your CPU chip probably has encryption hardware built in.  VeraCrypt will use that if you choose it.  As you can see, AES is drastically faster than the others on my own machine.  That’s because my Intel CPU has AES encryption hardware.  I’m going to choose “AES”

    image

    • For the hash Alorithm,  Sha-512 is better than Sha-256.  Whirlpool and Sha-256 are similar, but Sha-256 was created by the NSA and Whirlpool wasn’t.  Use that information however you like!  I’m choosing Whirlpool.
    • Next, choose the size of your encrypted virtual disk.  This is up to you.  How much space do you need for your encrypted data?  Whatever that number is, it HAS to be less than the available space on whatever drive your storing the virtual disk file on.
    • Next, choose your password.  This is a pass phrase you’ll need to enter every time you mount the encrypted volume.  Obviously, use something strong, long, and easy to remember, but difficult for others to figure out.  I recommend typing in a full sentence, with punctuation.  CASE MATTERS!  Don’t use famous quotes.  Think of something that is unique to you like, “I hate it when people cut in front of me in line at the movies!@#$”  Be creative!

    image

    • After entering and re-entering your pass phrase, click next.  That takes you to the “Volume Format” window where you need to rapidly move your mouse back and forth, up and down, in circles, and everything else in that window to help your computer create a random number to seed the encryption.  The more randomness from you it gets, the better.  Computers are terrible and making random numbers by themselves.  So spend a full minute or two just moving your mouse every which way across that window.  Then click “Format”.

    image

    image

    Congratulations!  You have now created your first encrypted virtual disk.  But, in order to USE it, there’s just a little more to do (and this is what you’ll need to do every time you want to mount your encrypted, virtual disk).

    Mounting your virtual disk

    image

    Back to the main window of VeraCrypt, pick a drive letter from the list provided (Mac & Linux will be slightly different), then click “Select File” and find your encrypted virtual disk file (You DID pay attention to where your created it, right?)

    image

    And click the “Mount” button.   Then enter the pass phrase you created at the beginning.  Without this passphrase, it will be impossible to access the encrypted data on your virtual disk (even if there’s nothing in it yet, you can’t even mount it without the passphrase).

    image

    image

    If you used a system file extension like “.dll” on your encrypted volume, you’ll get another warning when you try to mount it.  Just click OK.  It’s OK, we meant to do this.  We’re trying to fool the bad guys, right?

    You’re Done!

    image

    Your encrypted volume is now mounted and ready to use, like any other disk.  “But, can I…”  YES!  It’s just a volume like any other volume.  You can read and write to it exactly like anything else.  You an stream video files to and from it just like any hard disk.

    Notice I have mine mounted with the “M” drive letter assigned to it.  You can exit VeraCrypt and your encrypted virtual volume will stay mounted.  When you’re done with this, start VeraCrypt back up, select the volume, and click “Dismount”.

    As long as it’s mounted, anyone that has physical access to your machine can access its contents, so be sure to dismount as SOON as you’re done with it.  Also, anyone with NETWORK ACCESS to your machine could have access to the contents of your encrypted volume.  It’s ONLY protected when it’s NOT MOUNTED!  When you’re using it, it’s accessible to other software on your computer!!!

    Notice my M: drive in my drives list?

    image

    That’s the encrypted volume I just created and mounted.  Yes, it’s a really small disk.  Don’t tell anyone, OK? Smile  I do have bigger ones!  No!  Really!  I do!  Wait!  Where are you going?

    Thank you for sharing this article.  See this image?

    image

    You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Encrypt Individual Files (Desktop)

image

This is the 3rd article in a series of articles about encrypting your entire digital life

Encrypt All The Things! [A Guide]

…from end to end.  Click here for the lead article.  This article is about encrypting individual files on your desktop computer.  I’ll be giving specific instructions for Windows, but Mac & Linux steps are similar.

Short (VERY short version)

    1. Install encryption software.
    2. Create your encryption keys.
    3. Encrypt a file.
    4. Decrypt a file.

The rest of this shows you the details of those steps.

Review or brush up

Before you go any further, it’s really important that you are familiar with the basics of modern day encryption.  Please review this article on understanding encryption:

Understanding Encryption

 

I will be using terminology that won’t make sense to you if you have not read the “Understand Encryption” article or are not already fairly familiar with encryption and how it’s implemented in modern technology.

Let’s begin

    1. Download and install Gpg4win from http://www.gpg4win.org/
    2. Once installed, you’ll need to import your friends’ public keys (if you plan on sending them anything encrypted) and create your own (if you don’t already have any).
      1. Open Kleopatra (it’s installed with Gpg4win).  It’s a key management application.
      2. Click the “Lookup Certificates on server” button and enter your friends’ names and/or e-mail addresses to see if they have public keys.  If they’re not published, you can easily ask them directly.  Most likely, most of your friends do not yet.  I’d encourage you to get them started on this.
      3. Now, create or import YOUR key pair.  Close Kleopatra and open GPA.  Yes, it’s almost a clone of Kleopatra.  No, I don’t know why there are two of these tools.  But Gpa will let you create key pairs.
      4. Open the “Keys” menu and choose “New Key”.
      5. Enter your name (you can’t change this, so choose wisely), then “Next”, then your e-mail address.
      6. Yes, you want a backup copy.
      7. Enter your passphrase… DO NOT EVER FORGE IT!  DON’T BE STUPID – MAKE IT COMPLEX!  I recommend saving it in LastPass.com (get set up with LastPass.com if you’re not already.  It’s TOTALLY worth it (free)).
      8. Right-click your new key and choose “Export Certificate to Server” which will export your public key to a public key server for others to find so they can send you encrypted data.
    3. Now that your contacts’ keys are imported and you’ve created your own key, let’s encrypt a file.
      1. Open Windows Explorer (I said _Windows_ Explorer, NOT _Internet_ explorer!) and find some file that you’d like to encrypt.
      2. Right-click the file and choose “Sign & Encrypt” (You don’t have to do both signing AND encrypting.  You can do just one, if you like).
      3. In the dialog box, make sure “Encrypt” is selected.  If you’d like to compress it before you encrypt it, be sure to check “Archive files with”.  Because you can’t compress it AFTER you encrypt it!
      4. Click “Next” then pick your recipient (who you want to be able to decrypt the file).  If it’s just you, then choose your own key.

To decrypt the file, just right-click it and choose decrypt.  It will know which key was used and will prompt you for the passphrase.

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Encrypt All The Things! [A Guide]

So, Microsoft Windows 10 sends your private data to Microsoft (E-Mail and private files in private folders (read the EULA if you don’t believe me), your employer is snooping on your web traffic at work, local hackers are packet sniffing your web traffic at the coffee shop, your neighbors are hacking your home wi-fi, cloud providers have access to your files, thiefs have access to everything on your laptop or phone when you lose them in public, and don’t even get me started on the NSA and all the things THEY have access to (hint:  It’s everything, including your phone calls), not to mention your ISPs and rogue, tin-pot tyrannical dictatorship governments around the world.

You want your data to stay out of their hands and eyes?  Then you’d better put on your foil hat, pull up a chair, and pay attention to this how-to on encrypting all your data and all your communications (including phone calls!) and some best practices thrown in for good measure.

From a high level, here are the things we’ll be encrypting.  I’ll break them up into separate articles, because it would be quite a lot to take in all at once.  I’ll be writing these articles over the next couple of weeks, so check back here to see this topic list change from black text to hot links to the published articles.

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Understanding Encryption

Encryptoin

The topic of encrypting is wide and deep, so I’ll narrow this discussion to the basics of what you need to understand about E-Mail encryption and I’ll be as concise as possible.  This also begins a series of articles on encryption I’ll be writing over the next week or two explaining everything you need for end-to-end encryption for everything in your digital life from files on your mobile device to phone calls to everything on your PC.  All software in my series will be free and open source.

Encryption and Decryption

When you send an encrypted message to someone else, you must have that person’s public key.  This is an encryption key that they publish on public key servers for anyone and everyone to have access to.  These public keys can only encrypt messages.  They cannot decrypt messages.  If you encrypt a message with a friend’s public key, there is NO WAY you can decrypt it, not even with the public key you just used to encrypt it.

Why?  Because the public key was created with a complex mathematical formula that actually created TWO keys that work together.    Anything encrypted with ONE key can ONLY be decrypted with its pair key.  When you use your friend’s public key to encrypt a message before sending it to them, ONLY your friend can decrypt that message and they must do it with their private key.

Conversely, when someone sends YOU an encrypted message, they MUST encrypt it with YOUR public key.  ALL encrypted messages YOU receive MUST have been encrypted with YOUR public key.

YOU create a public/private key pair with a key generator.  There are many apps that can generate key pairs.  OpenPGP is a popular standard for keys.  That simply means that software designed to encrypt or decrypt has been written for standardized encrypting algorithms.  OpenPGP is a very popular algorithm.

When your friend sends you an encrypted message, encrypted with YOUR public key, only YOU can decrypt that message and ONLY with your private key that was created along with your public key.

Your public key is meant to be shared.  That’s how people encrypt messages intended for you.  Your private key is exactly that:  Private.  You MUST protect is and never, EVER give anyone access to it.  This means do NOT store it on a cloud drive.  Do NOT EVER e-mail it to anyone, not even yourself, because as soon as you hit “send”, it’s now passing through the internet, unencrypted.  If you ever make the mistake of e-mailing your private key or storing it on a cloud drive, you should consider that key compromised.  You’ll have to revoke the key and create a new pair.  It’s now well known that the NSA intercepts all e-mail traffic.  If you EVER e-mail your private key, there’s a nearly 100% chance that the government now has your private key and has the ability to decrypt any and all content encrypted for you with your public key.

Digitally Signing content.

A neat side effect of having public/private key pairs is that you can reverse how you use them.  For example, instead of encrypting a message with people’s public keys, you could encrypt a message with your PRIVATE key.  Under normal circumstances, you’d NEVER do this because 100% of the population has access to your PUBLIC key and ANYTHING encrypted with your PRIVATE key can be decrypted with your PUBLIC key.

So, why would you do this?

Simple, if you want to PROVE that a document was actually created or sent by YOU.  Encrypting data with your PRIVATE key (instead of your public key) is called “Digitally signing” the content.  Even though, mathematically, it’s the same thing as encrypting, in practice, that encryption is useless for secrets because the decryption key (your public key) is well known.  But, just like data encrypted with your public key can only be decrypted with your private key, data encrypted with your private key can ONLY be decrypted with your public key.

So, if you ever want to prove you’re the sender of an e-mail message, you will digitally sign it before sending it (or encrypt it with your private key).  The receiver can get your public key from any number of public key rings and decrypt your message, proving that it had to have been encrypted (or “signed”) with ONLY your private key.

Let me reinforce that “encrypting” with your private key is NOT considered “encrypting” since anyone can decrypt it.  It’s considered “digitally signing”.

Got it?  Good!  Now, go encrypt all the things!

See these images?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Check back later for updates too!

Next, be sure to read the next article in this encryption series:

Sick of the NSA Spying on you?

imageSetting aside the tin foil hat and paranoia jokes, no one likes being tracked or their private text messages being scraped up by the U.S. government’s massive computers, nor their phone metadata being logged, nor even the possibility of someone being able to listen in or record your phone calls (the NSA denies they listen to calls, but others with even FEWER ethics CAN).

 

Here’s what you can do to protect yourself on your Android SmartPhone

  • Encrypt your text messages.  There are 2 good options:

Install the TextSecure app.  This app will automatically detect which of your contacts also has this app installed and will automatically encrypt your SMS text messages with those individuals.  TextSecure is available on iOS too!  This means you can have encrypted texting sessions with both iOS and Android users!

Root your phone and install CyanogenMod 11 (or higher).  CM 11 has built-in support for TextSecure encryption, coded directly INTO the Operating System.  This means, you don’t have to install the TextSecure app.  Automatically, ALL SMS apps on your phone suddenly support TextSecure encryption.  But, you have to turn it on.  The feature is called “WhisperPush”.  Simply find the WhisperPush app on your phone, run it, and follow the instructions.  It’s the simplest setup you’ll ever experience.

  • Encrypt your voice phone calls (yes, you can do that)

This used to be stuff of only fiction in spy movies, but it’s a reality today and YOU can do it within minutes of reading this article.  First, install the app RedPhone from the Google Play Store.  This app is made by the same people that make TextSecure.  Both you and the person you’re calling (or receiving a call from) have to be using this in order to have a secure, encrypted phone call.  When you install the app, the first time you run it, it’ll ask you to register your phone number.  Now, anyone else with the app, when they call you’re number, the app knows you have it and will offer the caller the option to make the phone call encrypted.  Note that this uses your DATA connection and NOT your phone connection.  You’re not actually making an actual phone call.  It’s more of an internet audio chat.  But you don’t need to know that other than if you have a data cap, this will use your data.  As far as you and the other caller are concerned, for all practical purposes, it’s a phone call.  But your carrier will have no record of it AND anyone trying to listen in will only see a stream of random bytes streaming.  It’s totally encrypted… just like in the spy movies! Smile

  • Encrypt your E-Mail

This is a bit more difficult.  I’ll provide another article on how to do this.  The short version is you need to install djigzo from the Google Play store to manage your keys.  Then you’ll need an e-mail client that can use those keys to encrypt and decrypt your e-mail.  K-9 Mail is supposedly one of those apps.  For the record, I’ve NEVER gotten this to work.

  • Encrypt your phone

Android can encrypt your entire phone.  Don’t confuse yourself.  This does NOT encrypt ANY internet traffic to or from your phone.  It encrypts the files on the phone itself.

Go to Seetings –> Security –> Encrypt Phone

Warning!  This can take an hour or so!  Make sure your phone is plugged in AND has at least an 80% charge.  You do NOT want this failing in the middle of  it.  It will also require you to set a lock screen PIN or password, if you don’t already have one.  Once you do this, you CANNOT flash anymore ROMs on your phone (if you’re rooted).  So, make sure you’re good to go with the ROM you have.

  • Add a PIN or password to your phone

This one is obvious.  You need to set a PIN or a Password on your lock screen, otherwise, anyone can use your phone and see your data.

  • Add extra PIN for individual apps

Install the app AppLock from the Google Play store.  Open it up and set your settings.  You’ll set a PIN and you’ll select the apps you want to have an extra layer of protection.  Hint:  DO NOT use the SAME PIN here that you’re using for your phone lock screen.

This app will pop up a PIN prompt whenever someone tries to open one of your extra protected apps.  For example, you may want to enable your backing apps and credit card apps via AppLock so that you have to know that extra PIN in order to lauch them.  This way, if you let someone borrow your phone, they can’t go snooping into your financial data.

  • Hide apps and/or files on your phone

Maybe you have some apps that you don’t want other people to know or use.  Go to the Google Play store and download an app called Hide It Pro.  When you install it, it’ll show up on your phone as “Audio Manager”.  It’s deliberately deceptive.  The purpose of this app is to hide apps and/or files on your phone.  You protect them with a password of your choosing.  If someone’s snooping around on your phone, all they’ll see for this app is a music icon with a label, “Audio Manager”.  And if they launch it, it’ll even have working audio controls.  Those controls are totally for faking out people snooping on your phone.  Long press on the app title at the top of the screen (inside the app) and you’ll be prompted for a password, which then takes you into the real app where you can select apps and files to hide.  They won’t even show up anywhere on the phone with the regular phone interface.

  • Hide your browsing and internet traffic

Your ISP can see all the sites you go to, and so can the NSA, and so can anyone else snooping on your wireless connection (or even your wired connection).  And websites know what IP address you’re using, which means they can ask the ISP that own’s that IP address who is using it, and they’ll give them your name, address, and phone number.  What you need is something that bounces your web page requests to random computers all over the world.  Yes, this is exactly what you see “hackers” doing in hi-tech spy movies and YOU can do it too… VERY EASILY.  Install the app Orbot on your phone.  Follow the directions.   It’s super simple.  If your phone is rooted, it can obfuscate ALL of your internet traffic.  If your phone is NOT rooted, it can work with a few apps on your phone (web browser and e-mail, in particular) and bounce all your traffic from those supported apps all around the world.  It’ll slow down your connection a little, but it’ll also protect you against nosy, 3 letter acronyms including ISPs.

Click here to follow me on Google+.

Follow me on Twitter @CSharpner.

See these images?

imageimage

You’ll find an actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Check back later for updates too!